configpolicy/roles/victoria-logs/templates/victoria-logs.container.j2

[Unit]
Description=Victoria Logs
Wants=network.target
After=network.target
StartLimitIntervalSec=1s
StartLimitBurst=1

[Container]
Image={{ victoria_logs_container_image }}
Pull=never
Exec={{ victoria_logs_args | join(' ') }}
User={{ victoria_logs_user.uid }}
Group={{ victoria_logs_user.group }}
Volume=%S/%p:/data:rw,z,U
NoNewPrivileges=yes
ReadOnly=yes
ReadOnlyTmpfs=yes
AddCapability=CAP_NET_BIND_SERVICE
Network=host
HealthCmd=/usr/bin/wget -q -O /dev/null 127.0.0.1:9428/health
HealthInterval=1m
HealthOnFailure=stop

[Service]
StateDirectory=%p
Restart=always
RestartSec=1
MemoryDenyWriteExecute=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=%S/%p
ReadWritePaths=%S/containers/storage
ReadWritePaths=%t
ReadWritePaths=/etc/containers/networks
RestrictRealtime=yes
UMask=0077

[Install]
WantedBy=multi-user.target